Verify Your Binary

A binary you cannot verify is a binary you should not run.

Do not skip verification. A compromised binary could silently exfiltrate your private keys, record your messages, or install a backdoor. If you cannot verify the binary, build from source instead.

Verification Methods

RVNT provides three levels of verification, from fastest to most thorough:

LevelMethodVerifiesTime
1SHA-256 checksumBinary was not corrupted or tampered with in transit~5 seconds
2GPG signatureBinary was signed by the RVNT release key~30 seconds
3Reproducible buildBinary matches the published source code exactly~5-15 minutes

Level 1 protects against download corruption. Level 2 protects against a compromised download server. Level 3 protects against a compromised build pipeline (i.e., verifies that the binary was built from the source code you can audit).

Step 1: Import the Release Signing Key

RVNT release binaries are signed with our release GPG key. You need to import this key once.

# Download and import the key
curl -sL https://rvntos.io/keys/release.asc | gpg --import

# Verify the key fingerprint
gpg --fingerprint release@rvntos.io

# Expected output:
# pub   ed25519 2024-01-01 [SC]
#       XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX
# uid   RVNT Release Signing Key <release@rvntos.io>

# Cross-reference this fingerprint with:
#   1. https://github.com/rvntos/rvnt (README.md)
#   2. https://keybase.io/rvntos
#   3. https://rvntos.io/security (this website)
#   4. @rvntos on Twitter/X (pinned post)
#
# If the fingerprints do not match across all sources,
# the key may have been replaced. Do not proceed.

Key Details

Key type:      Ed25519 (via GnuPG 2.4+)
Key usage:     Signing only (no encryption capability)
Expiration:    2 years from creation (rotated before expiry)
Subkeys:       None (single signing key)
Key servers:   keys.openpgp.org, keybase.io

The release key is used ONLY for signing releases.
It is stored on an air-gapped machine.
It is never present on any internet-connected server.

Step 2: Verify the GPG Signature

Every release artifact has a corresponding .sig file containing a detached GPG signature.

# Download the binary and its signature
curl -O https://rvntos.io/releases/RVNT-1.0.0-aarch64.dmg
curl -O https://rvntos.io/releases/RVNT-1.0.0-aarch64.dmg.sig

# Verify the signature
gpg --verify RVNT-1.0.0-aarch64.dmg.sig RVNT-1.0.0-aarch64.dmg

# GOOD output:
# gpg: Signature made Mon Jan  1 00:00:00 2024 UTC
# gpg: using EdDSA key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# gpg: Good signature from "RVNT Release Signing Key <release@rvntos.io>"

# BAD output:
# gpg: BAD signature from "RVNT Release Signing Key <release@rvntos.io>"
# → DELETE THE BINARY IMMEDIATELY. It has been tampered with.

# WARNING output:
# gpg: WARNING: This key is not certified with a trusted signature!
# → This is normal if you haven't set the trust level.
#    The signature is still valid. Set trust with:
#    gpg --edit-key release@rvntos.io trust

Step 3: Verify the SHA-256 Checksum

Compare the SHA-256 hash of your downloaded file against the value published in the signed SHA256SUMS file.

# Download the checksums file and its signature
curl -O https://rvntos.io/releases/SHA256SUMS
curl -O https://rvntos.io/releases/SHA256SUMS.sig

# Verify the checksums file itself is signed
gpg --verify SHA256SUMS.sig SHA256SUMS
# Must show "Good signature"

# Compute the hash of your downloaded binary

# macOS:
shasum -a 256 RVNT-1.0.0-aarch64.dmg

# Linux:
sha256sum RVNT-1.0.0-amd64.AppImage

# Windows (PowerShell):
Get-FileHash .\RVNT-1.0.0-x64.msi -Algorithm SHA256

# Compare with the value in SHA256SUMS
# The hashes must match exactly. Any difference = tampered file.

SHA256SUMS File Format

# SHA256SUMS (signed with GPG release key)
a1b2c3d4...  RVNT-1.0.0-aarch64.dmg
e5f6a7b8...  RVNT-1.0.0-x64.dmg
c9d0e1f2...  RVNT-1.0.0-amd64.AppImage
a3b4c5d6...  RVNT-1.0.0-amd64.deb
e7f8a9b0...  RVNT-1.0.0-x64.msi
c1d2e3f4...  RVNT-1.0.0-x64-setup.exe

Step 4: Reproducible Build Comparison

For maximum assurance, build RVNT from source and compare the resulting binary hash against the official release. This verifies that the official binary was built from the published source code without modification.

# Clone the exact release version
git clone --branch v1.0.0 --depth 1 https://github.com/rvntos/rvnt.git
cd rvnt

# Verify the tag signature
git tag --verify v1.0.0

# Build with deterministic flags (must match CI build environment)
CARGO_BUILD_RUSTFLAGS="--remap-path-prefix=$HOME=~ --remap-path-prefix=$(pwd)=/build" \
  cargo build --release --locked

# Strip debug symbols (to match official build)
strip target/release/rvnt

# Compare hash
shasum -a 256 target/release/rvnt

# Compare this hash with the official SHA256SUMS value
# If they match: the official binary IS the source code, compiled.
# If they don't match: see "Troubleshooting" below.

Troubleshooting Reproducibility

Common reasons for hash mismatch:

  1. Different Rust toolchain version
     Fix: check rust-toolchain.toml for exact version
     Run: rustup show

  2. Different target triple
     Fix: ensure you're building for the same target
     Run: rustc --print target-list | grep your-arch

  3. Missing --locked flag
     Fix: always use --locked to use Cargo.lock versions

  4. Different RUSTFLAGS
     Fix: use exact path remapping flags shown above

  5. Different linker or system libraries
     Fix: use the Docker build environment (see below)

  6. Debug symbols not stripped
     Fix: run strip on the binary

Docker reproducible build (most reliable):
  docker build -t rvnt-build .
  docker run --rm -v $(pwd)/output:/output rvnt-build
  shasum -a 256 output/rvnt

Verification on Mobile

iOS:
  - App Store builds are signed by Apple (required)
  - You cannot compare hashes with App Store binaries
    (Apple re-signs and modifies the binary)
  - For verification: build from source via Xcode
    and install directly on your device

Android:
  - APK is signed with RVNT's Android release key
  - Verify APK signature:
    apksigner verify --print-certs RVNT-1.0.0.apk
  - Compare signing certificate fingerprint with
    published value on GitHub and website
  - For maximum assurance: build from source with
    ./gradlew assembleRelease and compare APK contents

What If Verification Fails

  1. Do not run the binary. Delete it immediately.
  2. Re-download from the official source. Use https://rvntos.io/download directly, not a third-party mirror.
  3. Try verification again. Ensure you imported the correct GPG key.
  4. If repeated failure: report it. Email security@rvntos.io. A verification failure on a legitimate download may indicate a compromised distribution channel.
  5. Build from source as a fallback. This is the most trustworthy path. See Build from Source.

Further Reading

Last updated: 2026-04-12

RVNT Documentation — Post-quantum encrypted communications